should i use mutiple IP addresses?

Answered Question

I am going to have to setup an ASA 5505. I will have citrix and microsoft exchange sitting behind the ASA. should i just use one ip address and forward ports as needed, or should i use a seperate IP for citrix, exchange, asa public, etc.


Thanks for any responses, Bill

Correct Answer by Jon Marshall about 9 years 1 week ago

Bill


No you don't need to do this. As long as the public IP addresses are routed to the outside interface of your firewall then you only need to configure one address on the public interface eg.


212.17.10.0 255.255.255.240


Outside interface of ASA


212.17.10.2 255.255.255.240


Inside interface of ISP router


212.17.10.1 255.255.255.240


Then the rest of the addresses you can use as


static (inside,outside) 212.17.10.3 192.168.5.1 netmask 255.255.255.255


where 192.168.5.1 is one of your internal servers.


The ASA will then respond to any traffic destined for 212.17.10.3, NAT it 192.168.5.1 and forward it on to the internal server.


Obviously you need to allow the traffic from the outside with an access-list.


Also your servers may be on a DMZ in which case just substitute the "inside" in your static statement with whatever the DMZ interface is called.


Jon

Correct Answer by Richard Burts about 9 years 1 week ago

Bill


If you have the addresses available I would advocate for using separate addresses for each server. In that case you will need just a straight static translation for each address. It is more simple and more clean. It is also a bit more obvious and that could be an advantage if something is not working and you are in the middle of troubleshooting.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Richard Burts Tue, 05/20/2008 - 10:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bill


If you have the addresses available I would advocate for using separate addresses for each server. In that case you will need just a straight static translation for each address. It is more simple and more clean. It is also a bit more obvious and that could be an advantage if something is not working and you are in the middle of troubleshooting.


HTH


Rick

Richard Burts Tue, 05/20/2008 - 11:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bill


Yes the public interface would get public addresses.


HTH


Rick

Correct Answer
Jon Marshall Tue, 05/20/2008 - 11:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bill


No you don't need to do this. As long as the public IP addresses are routed to the outside interface of your firewall then you only need to configure one address on the public interface eg.


212.17.10.0 255.255.255.240


Outside interface of ASA


212.17.10.2 255.255.255.240


Inside interface of ISP router


212.17.10.1 255.255.255.240


Then the rest of the addresses you can use as


static (inside,outside) 212.17.10.3 192.168.5.1 netmask 255.255.255.255


where 192.168.5.1 is one of your internal servers.


The ASA will then respond to any traffic destined for 212.17.10.3, NAT it 192.168.5.1 and forward it on to the internal server.


Obviously you need to allow the traffic from the outside with an access-list.


Also your servers may be on a DMZ in which case just substitute the "inside" in your static statement with whatever the DMZ interface is called.


Jon

Richard Burts Tue, 05/20/2008 - 12:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jon


I think that perhaps we are trying to say the same thing from slightly different perspectives. In the original post the question was:

"should i just use one ip address and forward ports as needed, or should i use a seperate IP for citrix, exchange, asa public, etc."


My response was that a single address with port forwarding was overly complex. That is essentially the same thing that you are saying. Your response is much more specific about doing the translations but still assumes that he will use a group of public addresses associated with the public interface.


HTH


Rick

Jon Marshall Tue, 05/20/2008 - 12:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rick


I agree that using individual addresses is the simplest approach.


It's one of those things where interpretation of the question comes in. I thought Bill was asking if all the public IP addresses that were allocated would actually need to be configured on the ASA outside interface which obviously isn't needed.


Jon

Richard Burts Tue, 05/20/2008 - 12:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jon


agreed that there is interpretation of the question which leads to different emphases. and certainly agreed that the outside interface needs only a single address configured.


HTH


Rick

Actions

This Discussion